Hi,Two weeks or so ago I had a pop-up fake online scan warning. I shut down the computer, thinking that this was the only way to exit the warnings. Following this I used Ccleaner, and F-Prot, but didn't come up with anything, so I hoped that I had had a clean escape.

Today, however, an F-Prot scan has picked up and quarantined five files in which malware (W32/MalwareF.GMXU, W32/MalwareS.BJBR) has been detected.

The malware names F-Prot used really doesn't say much, as far as getting a handle on what the files are. With your next reply here, see if you can get some type of F-Prot log, so you can post the file names, and hopefully what folder F-Prot moved them from.

Quote

Two weeks or so ago I had a pop-up fake online scan warning. I shut down the computer, thinking that this was the only way to exit the warnings. Following this I used Ccleaner, and F-Prot, but didn't come up with anything

Those often are just files saved to your browser's temp files folder, so your choice to shut down very likely kept an malware downloaders a chance to run. At times a reboot gains an advantage for the malware being installed, and can cause disk/file system problems. If you do the Emergency First Aid for Computer Infections steps shown here, you will then be ready should the problem occur again.

As for this log posted, the only suspect item is that 192.168.1.2:3128. Lately, malware packages have included a proxy setting that appears to loop back to the computer. I have assumed that obscures the actual Internet access the malware is using. Bit of a guess on that though.

The log also shows what appears to be some active components of left from some past partial uninstall.

Let's get a better detailed check of things, then decide on what repairs you need there.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If RSIT downloads/installs HijackThis be sure to agree to the install of that.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-------------

Also download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Kia Ora Jantin,thanks for your reply, and for a way to start on recovery

Following are the logs you asked for. However, I was unable to run the GMER program, I tried twice but get a "bad_pool_header" error, and shutdown. Windows reporting says that this is caused by a device driver. I've managed to get a f-prot log also, just posting this from the first time a virus was found and quarantined, on 12th. Sorry these are quite long~

F-prot first:14/12/2010 9:20:53 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 9:20:51 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 9:13:34 a.m. VzRs Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VzRs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:13:32 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Sample14/12/2010 9:13:32 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.D:\Contents14/12/2010 9:13:22 a.m. VzFw Information None 1 N/A KARLA_LAPTOP Service started.14/12/2010 9:13:22 a.m. VzFw Error None 108 N/A KARLA_LAPTOP Failed to start monitoring folder. (00000000)C:\Documents and Settings\All Users\Application Data\Sony Corporation\PictureGear Studio\Samples\PhotoCollection\Samples14/12/2010 9:13:10 a.m. SecurityCenter Information None 1800 N/A KARLA_LAPTOP The Windows Security Center Service has started.14/12/2010 9:13:07 a.m. VAIO Event Service Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VAIO Event Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:12:55 a.m. RegSrvc Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:12:34 a.m. EvtEng Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:09:27 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 9:09:24 a.m. VzRs Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VzRs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:09:23 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 9:09:23 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Sample14/12/2010 9:09:23 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.D:\Contents14/12/2010 9:09:18 a.m. VzFw Information None 1 N/A KARLA_LAPTOP Service started.14/12/2010 9:09:18 a.m. VzFw Error None 108 N/A KARLA_LAPTOP Failed to start monitoring folder. (00000000)C:\Documents and Settings\All Users\Application Data\Sony Corporation\PictureGear Studio\Samples\PhotoCollection\Samples14/12/2010 9:09:11 a.m. SecurityCenter Information None 1800 N/A KARLA_LAPTOP The Windows Security Center Service has started.14/12/2010 9:09:10 a.m. VAIO Event Service Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VAIO Event Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:08:58 a.m. RegSrvc Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 9:08:23 a.m. EvtEng Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 8:04:13 a.m. F-PROT Antivirus Warning Scanner 4096 NT AUTHORITY\SYSTEM KARLA_LAPTOP Found file, C:\WINDOWS\TEMP\FPQ9.tmp, infected with W32/MalwareS.BJBR

For more information please visit http://www.f-prot.com/support/index.html14/12/2010 8:02:01 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 8:02:01 a.m. VzRs Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VzRs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 8:01:58 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.14/12/2010 8:01:55 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Sample14/12/2010 8:01:55 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.D:\Contents14/12/2010 8:01:50 a.m. VzFw Information None 1 N/A KARLA_LAPTOP Service started.14/12/2010 8:01:50 a.m. VzFw Error None 108 N/A KARLA_LAPTOP Failed to start monitoring folder. (00000000)C:\Documents and Settings\All Users\Application Data\Sony Corporation\PictureGear Studio\Samples\PhotoCollection\Samples14/12/2010 8:01:45 a.m. VAIO Event Service Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VAIO Event Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 8:01:44 a.m. SecurityCenter Information None 1800 N/A KARLA_LAPTOP The Windows Security Center Service has started.14/12/2010 8:01:36 a.m. RegSrvc Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.14/12/2010 8:00:54 a.m. EvtEng Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.13/12/2010 11:12:44 p.m. Userenv Warning None 1517 NT AUTHORITY\SYSTEM KARLA_LAPTOP Windows saved user KARLA_LAPTOP\karla registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.13/12/2010 3:31:44 p.m. F-PROT Antivirus Warning Scanner 4096 NT AUTHORITY\SYSTEM KARLA_LAPTOP Found file, C:\WINDOWS\TEMP\FPQ6D.tmp, infected with W32/MalwareF.GMXU

For more information please visit http://www.f-prot.com/support/index.html13/12/2010 7:37:29 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.13/12/2010 7:37:27 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.13/12/2010 7:37:18 a.m. VzRs Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VzRs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.13/12/2010 7:37:17 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Sample13/12/2010 7:37:17 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.D:\Contents13/12/2010 7:37:16 a.m. VzFw Information None 1 N/A KARLA_LAPTOP Service started.13/12/2010 7:37:16 a.m. VzFw Error None 108 N/A KARLA_LAPTOP Failed to start monitoring folder. (00000000)C:\Documents and Settings\All Users\Application Data\Sony Corporation\PictureGear Studio\Samples\PhotoCollection\Samples13/12/2010 7:37:09 a.m. VAIO Event Service Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VAIO Event Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.13/12/2010 7:37:07 a.m. SecurityCenter Information None 1800 N/A KARLA_LAPTOP The Windows Security Center Service has started.13/12/2010 7:36:56 a.m. RegSrvc Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.13/12/2010 7:36:34 a.m. EvtEng Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.12/12/2010 10:31:07 p.m. Userenv Warning None 1517 NT AUTHORITY\SYSTEM KARLA_LAPTOP Windows saved user KARLA_LAPTOP\karla registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.12/12/2010 11:02:53 a.m. F-PROT Antivirus Information Scanner 4096 NT AUTHORITY\SYSTEM KARLA_LAPTOP A virus scan ended. Scan duration: 1:23:44

For more information please visit http://www.f-prot.com/support/index.html12/12/2010 8:21:29 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.12/12/2010 8:21:27 a.m. FPAVServer.exe Information Driver 1 N/A KARLA_LAPTOP The OAS driver is running.12/12/2010 8:21:20 a.m. VzRs Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VzRs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.12/12/2010 8:21:19 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Sample12/12/2010 8:21:19 a.m. VzFw Information None 107 N/A KARLA_LAPTOP Started monitoring folder.D:\Contents12/12/2010 8:21:18 a.m. VzFw Information None 1 N/A KARLA_LAPTOP Service started.12/12/2010 8:21:18 a.m. VzFw Error None 108 N/A KARLA_LAPTOP Failed to start monitoring folder. (00000000)C:\Documents and Settings\All Users\Application Data\Sony Corporation\PictureGear Studio\Samples\PhotoCollection\Samples12/12/2010 8:21:09 a.m. VAIO Event Service Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( VAIO Event Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.12/12/2010 8:21:06 a.m. SecurityCenter Information None 1800 N/A KARLA_LAPTOP The Windows Security Center Service has started.12/12/2010 8:20:57 a.m. RegSrvc Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.12/12/2010 8:20:35 a.m. EvtEng Information None 0 N/A KARLA_LAPTOP The description for Event ID ( 0 ) in Source ( EvtEng ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.

Computer Name: KARLA_LAPTOPEvent Code: 1003Message: Your computer was not able to renew its address from the network (from theDHCP Server) for the Network Card with network address 0016CF14A102. The followingerror occurred: The semaphore timeout period has expired..Your computer will continue to try and obtain an address on its own fromthe network address (DHCP) server.

Computer Name: KARLA_LAPTOPEvent Code: 8021Message: The browser was unable to retrieve a list of servers from the browser master \\OFFICE on the network \Device\NetBT_Tcpip_{9F1DF338-931A-4614-A9F5-7C20EAC1C948}.The data is the error code.

Computer Name: KARLA_LAPTOPEvent Code: 1003Message: Your computer was not able to renew its address from the network (from theDHCP Server) for the Network Card with network address 0016CF14A102. The followingerror occurred: The semaphore timeout period has expired..Your computer will continue to try and obtain an address on its own fromthe network address (DHCP) server.

Computer Name: KARLA_LAPTOPEvent Code: 1517Message: Windows saved user KARLA_LAPTOP\karla registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

there's a lot of information there! I really appreciate you looking through it all.

The quarantined items are soundman.exe, clonedvd2-uninst.exe, pccsmcfd.sys (x 3 times), Soundman.exe, SOUNDMAN.exe. I haven't deleted any of these yet.

Should I go ahead and do the suggestions in the Emergency First Aid for Computer Infections; unfortunately I read this after doing it wrong the first time (shutting down the system). Great but painful way to learn!

Not sure I see any rhyme or reason for why F-Prot is targeting those files. Many softwares load, and run, using temp files located in temp folders there. Often, when some security program targets program files and temp files as the same malware, that suggests they could very well be part of the same software/software activity. This one suggests an NSIS (Nullsoft Scriptable Install System) installer file:

C:\WINDOWS\TEMP\FPQ6.tmp->(NSIS)

Could mean this F-Prot flurry of activity is due to an active software install. When and what is the most recent program you installed on your computer?

But I gotta admit some of the files being located by F-Prot there don't seem to have much in common.

One other significant issue is that "W32/MalwareS.BJBR" and "W32/MalwareF.GMXU" are unique to your system - No other web sites show those names. That lends support that the files are not malware (False Positives)

The other logs you posted don't show any malware. I did check more on that "ProxyServer = 192.168.1.2:3128" log entry, and see that it may be some part of a Squid caching proxy function (see here).

It would help if we could check some of those files, but they would need to be restored to their original locations. Though it is not without risk of infection, I sense the files are not malware. All your call on it, but if you want to go ahead with checking the files, just temp disable F-Prot's active scanning (so it won't just re-quarantine the files while we work with them), then have it restore these files:

Before restoring the files, take time to make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types". This way you will be able to see all files there.

As soon as the files are restored, just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select those restored files.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Just click the "(more attachments)" next to the Browse button to upload more than one file.

------------------

Instead of you immediately enable F-Prot after the file upload, leave it disabled, and let's run a good repair scan tool.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Download ComboFix.exe from here to your desktop, then click that to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

That particular entry is from selecting a web-based source as the Active Desktop. Malware has been using that every so often, but this entry may just be that the Registry key for it needs repairing. But let's see what we get from these new steps before addressing that.

I uploaded two of the files to the site you requested, however the one at Windows/Temp I couldn't find. Perhaps this was deleted when I ran CCleaner after I had shut down after the online scan warning. F-Prot was very insistent about re-quarantining the SOUNDMAN.exe file, I had to do some shifty restoring and closing down to get it to stay there long enough to upload it.

Combofix downloaded the recovery console, and started the scan, but unfortunately crashed about Stage 50, with the error "Bad_pool_header" - the same one I got when I tried to run the GMER program. I tried this twice with the same result.

The latest programs I have downloaded are Samsung (for my sons cell phone), Myfree Codec (seems that was installed by Samsung), PowerMenu, Winmerge, and the Rockmelt browser. I hadn't had any problems prior to that, and F-Prot has kept me pretty much virus free. However, I see that the computer my son uses has also picked up a virus; we are networked so possibly this has spread that way?

I have just been going through the f-prot scan details and I see the C:\WINDOWS\TEMP\FPQ6.tmp->(NSIS) has been giving problems for the last couple of days. I'll look further for it, and if I find it will post to the spykiller site.

Also, the latest program downloaded (rockmelt) was just a few days ago, however I have had Chrome for a while and it seems to just be another version of that ... ?

Just checking in, but I will check the uploaded files when I get time. One other method of dealing with files the antivirus has located is to ignore what the AV program is suggesting it do, and zip a copy of the file it is pointing to. Then let the antivirus do what it wants, and upload the ziped file copy.

I am not too familiar with Google Chrome or RockMelt. Web info shows that Chromium, which is the "open-source project behind Google Chrome", is also what RockMelt was based on, so perhaps that the tie-in with them.

Both ComboFix and Google causing those problems could be due to them clashing with your security software (which you are disabling before running these scans, yes?), but the more recent malware packages also target those scan/fix tools.

See if those crashes created a log file we can check.

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then navigate (right click Computer, left click Explore) to the following folder:

c:\windows\minidump

And if one is there, locate in it any recent minidump(date-somenumber).dmp files created, where "date-somenumber" matches dates of any recent crashes there. If they exist, then just zip a copy of it, and send it to jintan AT malwarecrypt.com (replace the "AT" with @) as an attachment. Please place "Submitted Files - karlanz /mc/dmp" as the email Subject.

-------------------

Even though the scans like the mbr.exe one does not seem to loacte any rootkit infection, let's check anyway.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Click here and download Kaspersky's TDSSKiller to your desktop, then unzip that and place a copy of the TDSSKiller.exe file on your desktop. Then click that to open the scanner.

In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot if requested.

When the scan completes it will create a log file on your C drive.

Similar in name to this:

C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt

Your copy will be different - some of those numbers will reflect the date/time it was just run by you there.

Is there any way of telling which driver it is that is missing or causing the blue screen crash? I haven't turned my computer off - I'm wondering if this is necessary, just that somewhere I read that each boot up gives a virus a bit of a boost. Not sure if that is my memory fabricating that tho ;-)

Cheers - go well, and don't stress over this, I'm not. Christmas is only ten days away, I just realised today ! Karla

Hi Jintan,last night I was thinking about changes that I made to the computer that might have affected the driver file, and one of those was changing the registry with cccleaner when I did the scan shortly after getting the fake scan warning. So, I merged back those four registry changes, and tried another attempt at running Combofix, unsuccessfully.

F-Prot has this morning given me two more malware warnings :Found file, C:\System Volume Information\_restore{7FDE3511-2876-4122-A043-FE90622A1974}\RP1\A0003196.exe, infected with W32/MalwareS.BJBR

The registry changes (below) don't seem connected, it was just an idea.

Those Registry Keys reflect what new apps you recently installed. The names also match what you posted about recent installs. That PowerMenuSetup_1_5_1.exe installer file shows up in a few Thai threads. I downloaded and checked it. Didn't see any malware actions in the file codes, and only one scanner felt the files were malware-related:

TheHacker - Trojan/Downloader.Zlob.bouh

One hit out of 43 usually says the hit scanner is in error.

Quote

Is there any way of telling which driver it is that is missing or causing the blue screen crash?

That is what checking the minidump files can do. However, in checking those that you sent, the culprit is either Gmer, or ComboFix's version of Gmer's CatchMe scanner.

-----------------------

I did another check of the logs posted so far, and see Norton has left some things behind. These could be what is causing some issues there.

Be sure to temp disable all security programs, then Go here and download the Norton Removal Tool that is appropriate for your version. Then close all open windows and disable all protective software, and click the downloaded file to completely remove Norton from your system. If the removal does not cause a reboot reboot after the tool has completed the removal. Be sure to save all registration keys before running the tool if you plan to reinstall Norton later.

If you do not recall the version that is okay - the same tool is used for most versions.

I don't ever remember the laptop having Nortons, but I ran the tool and am still having combofix crash. I'll try the Gmer later.

I'm just wondering if it is possible that my son's computer, which is networked, could be where the virus is? I don't know much about networking, or servers - could there be a virus there which creeps down to my laptop??